Tuesday, March 19, 2013

Image a scenario where someone wants to target your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website.

What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk).

This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this cannot be a fully comparison between these products.

I tried to test all AntiVirus in this list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus.

The exploit is CVE-2013-1493 not obfuscated that after a successfully exploitation tries to download from a remote host to temp directory hello.jpg , after that the is renamed to hello.exe and executed using cmd "cmd /C 'temp_path\hello.exe'".

The executable just prompt "Hello Malware".

I decided to run this executable instead of the classic calculator because some AntiVirus have cloud based reputation service and since this is an unknown file dropped by java (like malware) they should prompt some warning.

Maybe someone of you will say "this is not a malware, of course av doesn't block it", what i want to test here is the software against the java exploit not about malicious executable detection, because this is another story.

Developers of chk4me claim to not send uploaded files to AntiVirus companies so this is the right place to check the exploit before the test.

To be more clear i made this table where i report the "score" obtained by the AntiVirus against CVE-2013-1493.

5 (16 %) don't detect the exploit but they warn you about the executable

3 (9 %) detect the exploit.

Looking only the exploit, 91 % don't detect it and 9 % are able to block it.

There were some cases where i was undecided between the score 1 or 2, like the case of ArcaVir. When an applet tries to contact another domain ArcaVir prompt you an alert, however its not saying "this is an exploit and i block it" but "hey, this applet is trying to connect to this domain, what you wanna do ?". For this reason i opted for a score of 1 instead of 2.

Symantec surprised me because a couple of months ago didn't detect any java exploit and now they block it all, maybe they have decided to improve their basic software after the Wall Street Journal story.

As last thing here is the video, maybe you will find it boring but you can see how several antiviruses handles a java exploit.